OpenID Connect & OAuth 2.0 - Security Best Practices

Explore the latest security best practices for OpenID Connect and OAuth 2.0 in this comprehensive conference talk. Delve into the evolution of these protocols since their initial publication, examining how they've become the standard for API protection and the foundation of OpenID Connect. Learn about the attacks targeting known implementation weaknesses and anti-patterns, and discover how technology changes have expanded their usage to new use cases and higher security environments. Gain valuable insights into the IETF's "Best Current Practices" (BCPs) that update the original specifications and threat models, providing more prescriptive guidance. Examine topics such as simplified attack models, the elimination of password grants, machine-to-machine authentication, sender-constrained access tokens, and interactive applications. Understand crucial security considerations including redirect URI validation attacks, credential leakage prevention, and authorization code injection mitigation techniques. Explore countermeasures for mix-up attacks, public client security, and anti-forgery protection. Discover the future of OAuth 2.0 and OpenID Connect, including JWT Secured Authorization Requests (JAR) and Pushed Authorization Requests.

Intro
Some Context...
Simplified
Attack Model (1)
Implicit Flow Request
Implicit Flow Response
No more Password Grant
Grand Unification
Machine to Machine
Client Authentication
Sender Constrained Access Tokens w/ MTLS
Interactive Applications
Redirect URI Validation Attacks
Credential Leakage via Referrer Headers
Authorization Code Injection
Mitigation: Proof key for Code Exchange
Countermeasures Summary
Mix Up Attack (Variant 1)
How does ASP.NET Core prevent Mix Up Attacks?
Public Clients
Anti Pattern: Native Login Dialogs
Using a browser with Code Flow + PKCE
Different Approaches
Anti-Forgery Protection
Refresh Token Storage in Browsers
What's next?
JWT Secured Authorization Requests (JAR)
Pushed Authorization Requests (1)